b'              PROGRAM MANAGEMENT OF THE\n                DEFENSE SECURITY SERVICE\n            CASE CONTROL MANAGEMENT SYSTEM\n\n\nReport No. D-2001-019               December 15, 2000\n\n\n\n             Office of the Inspector General\n                 Department of Defense\n\x0c  Additional Copies\n\n  To obtain additional copies of this audit report, visit the Inspector General, DoD,\n  Home Page at: www.dodig.osd.mil/audit/reports or contact the Secondary\n  Reports Distribution Unit of the Audit Followup and Technical Support\n  Directorate at (703) 604-8937 (DSN 664-8937) or fax (703) 604-8932.\n\n  Suggestions for Future Audits\n\n  To suggest ideas for or to request future audits, contact the Audit Followup and\n  Technical Support Directorate at (703) 604-8940 (DSN 664-8940) or\n  fax (703) 604-8932. Ideas and requests can also be mailed to:\n\n                    OAIG-AUD (ATTN: AFTS Audit Suggestions)\n                     Inspector General, Department of Defense\n                        400 Army Navy Drive (Room 801)\n                            Arlington, VA 22202-4704\n\n  Defense Hotline\n\n  To report fraud, waste, or abuse, contact the Defense Hotline by calling\n  (800) 424-9098; by sending an electronic message to Hotline@dodig.osd.mil; or\n  by writing to the Defense Hotline, The Pentagon, Washington, D.C. 20301-1900.\n  The identity of each writer and caller is fully protected.\n\n\n\n\nAcronyms\nCCMS                  Case Control Management System\nDSS                   Defense Security Service\n\x0c\x0c                      Office of the Inspector General, DoD\nReport No. D-2001-019                                               December 15, 2000\n  (Project No. D2000AL-0159)\n\n          Program Management of the Defense Security Service\n                  Case Control Management System\n\n                               Executive Summary\n\nIntroduction. This report discusses the program management of the Defense Security\nService Case Control Management System in response to a request from the Chairmen\nof the Senate and House Committees on Armed Services. The Chairmen requested the\nreview because of reported problems with processing security investigations for\nclearance determinations.\n\nThe Case Control Management System is an automated information system that guides\nand controls the Defense Security Service Enterprise System for opening, tracking, and\nclosing personnel security investigation cases. The Enterprise System is a combination\nof 24 distinct primary information systems, subsystems, applications, and interfaces\nthat share common data and connectivity.\n\nThe Defense Security Service believed that by establishing a paperless Enterprise\nSystem of automated applications, it would avoid as much as $80 million in operating\ncosts and $900 million in reduced time for personnel security investigations. The\nEnterprise System did not meet performance expectations when it was deployed on\nOctober 28, 1998. Projected numbers of investigation case openings and closings did\nnot materialize and times for investigations were not substantially reduced.\n\nObjectives. The overall audit objective was to review the program management of the\nacquisition of the Defense Security Service Case Control Management System and the\nactions being taken to correct problems in its development and deployment. In addition,\nwe evaluated the management control program related to the objective. See Appendix A\nfor a discussion of the audit scope and methodology and the review of the management\ncontrol program.\n\nResults. The Defense Security Service did not effectively manage the high risk involved\nin the integration of the Case Control Management System and the Enterprise System.\nAs a result, those systems had significant limitations and were insufficiently tested and\nevaluated for operational effectiveness prior to deployment in October 1998, leading to\nfailures that degraded Defense Security Service productivity. As of September 2000,\nproject management had been greatly improved, but high risks remained. Resolution of\ndesign problems is continuing and measurements for reliability and maintainability at\nproduction objectives are still needed.\n\nThe Air Force Program Management Office has developed a phased acquisition strategy\nto stabilize the Case Control Management System and the Enterprise System with\nproduct improvements and incrementally migrate it to an improved Enterprise System\narchitecture between FY 2002 through FY 2008. However, the DoD needs to consider\nalternative solutions for processing personnel security investigations before further\ndecisions are made on future system architecture.\n\x0cThe Defense Security Service appropriately identified personnel security investigations\nas a material management control weakness area in FYs 1999 and 2000, and is taking\ncorrective actions. The DoD should continue to report management control weaknesses\nin this area until all overdue personnel security clearances requiring reinvestigation are\neliminated. See the Finding section for details on the audit results and Appendix A for\ndetails on the DoD management control program.\n\nSummary of Recommendations. We recommend that the Assistant Secretary of\nDefense (Command, Control, Communications, and Intelligence) and the Director,\nDefense Security Service, prior to making further decisions on the future system\narchitecture, analyze whether the investment for the Case Control Management System\nand the Enterprise System provides the best business solution when compared to\nalternative solutions for opening, tracking, and closing personnel investigation cases.\n\nManagement Comments. The Assistant Secretary of Defense (Command, Control,\nCommunications, and Intelligence) and the Director, Defense Security Service,\nconcurred with the report finding and recommendation. A discussion of the\nmanagement comments is in the Finding section of the report, and the text of the\nmanagement comments is in the Management Comments section.\n\nAudit Response. The Assistant Secretary of Defense (Command, Control,\nCommunications, and Intelligence) and the Defense Security Service\xe2\x80\x99s comments were\npositive, but incomplete. The comments did not describe corrective actions taken or\nplanned, dates of actions taken, and estimated completion dates of planned actions for\nimplementing the recommendation. Therefore, we request that both the Assistant\nSecretary of Defense and the Director, Defense Security Service, provide additional\nmanagement comments by January 18, 2001.\n\n\n\n\n                                            ii\n\x0cTable of Contents\n\nExecutive Summary                                                         i\n\n\nIntroduction\n     Background                                                           1\n     Objective                                                            2\n\nFinding\n     The Case Control Management System and the Enterprise System        3\n\nAppendixes\n     A. Audit Process\n           Scope                                                         12\n           Methodology                                                   13\n           Management Control Program Review                             13\n           Prior Coverage                                                14\n     B. Acquisition Guidance                                             15\n     C. Components of the Enterprise System                              17\n     D. Enterprise System High Level Process View                        25\n     E. Status of TRW, Inc., Recommendations by Priority Ranking         26\n     F. Report Distribution                                              28\n\nManagement Comments\n     Assistant Secretary of Defense (Command, Control, Communications,\n       and Intelligence)                                                 31\n     Defense Security Service                                            32\n\x0cBackground\n           Personnel security investigations are essential for safeguarding classified\n           resources. The Defense Security Service (DSS) manages and conducts these\n           investigations for DoD. Annually, DSS closes more than 460,000 cases for\n           clearance determinations by DoD central adjudication facilities.\n\n           In a March 14, 2000, letter to the Inspector General, DoD, the Chairmen of the\n           Senate and House Armed Services Committees requested that a review be\n           conducted of the recent reports regarding alleged problems with the DoD\n           process for granting security clearances. Citing an October 27, 1999, General\n           Accounting Office report that traced one of the causes to a DSS automated\n           information system, the Chairmen requested the Inspector General, DoD, to\n           review the problems that DSS experienced in the development and operation of\n           the Case Control Management System (CCMS).\n\n           The CCMS is the automated information system that guides and controls the\n           DSS Enterprise System of hardware and software applications for opening,\n           tracking, and closing personnel investigation cases. The Enterprise System is a\n           combination of 24 primary information systems, subsystems, applications, and\n           interfaces that share common data and connectivity. The DSS believed that\n           establishing a paperless Enterprise System would avoid as much as $80 million\n           in operating costs and $900 million in reduced time for personnel security\n           investigations. The Enterprise System did not meet performance expectations\n           when CCMS was deployed on October 28, 1998.\n\n           Prior to the General Accounting Office report, several groups were invited to\n           review the Enterprise System and suggest improvements. Reviews of the\n           acquisition were performed by a DSS Integrated Program Team in March 1999,\n           an Air Force/MITRE Red Team, and a DoD support contractor, TRW, Inc.\n           The Deputy Assistant Secretary of Defense for Security and Information\n           Operations tasked the contractor to conduct an analysis of program management\n           and oversight of the Enterprise System. The TRW, Inc., report1 made 37 short-\n           and long-term recommendations for correcting and enhancing the system\xe2\x80\x99s\n           performance.\n\n           In August 1999, the Air Force Standards System Group formally became the\n           DSS Program Manager for the Enterprise System\xe2\x80\x99s development and operations.\n           To improve and modernize the DSS Enterprise System, the Air Force Program\n           Management Office prepared an acquisition strategy that it believed would\n           stabilize the Enterprise System and incrementally migrates the system to a target\n           architecture. The DSS FY 2002 Program Objective Memorandum programs\n           funds to support this acquisition strategy through FY 2007.\n\n\n\n\n1\n    TRW, Inc., report, \xe2\x80\x9cTRW\xe2\x80\x99s Evaluation of the Defense Security Service\xe2\x80\x99s Case Control Management\n    System,\xe2\x80\x9d July 21, 1999.\n\n\n\n                                                   1\n\x0c    The Assistant Secretary of Defense (Command, Control, Communications, and\n    Intelligence) provides functional oversight for the DSS. Prior to September 2000,\n    neither the CCMS nor the rest of the Enterprise System was designated as a major\n    automated information system or a special interest initiative. Funds contractually\n    obligated for the Enterprise System\xe2\x80\x99s development and modernization amounted to\n    $76 million from FY 1995 through FY 1999. Total planned development and\n    operation costs for FY 2000 through FY 2007 are estimated to be $312 million.\n\nObjective\n    The overall audit objective was to review the DSS program management of the\n    CCMS acquisition and the actions being taken to correct problems in its\n    development and deployment. In addition, we evaluated the management control\n    program related to the objective. See Appendix A for a discussion of the audit\n    scope and methodology, prior coverage, and the review of the management\n    control program.\n\n\n\n\n                                       2\n\x0c           The Case Control Management System\n           and the Enterprise System\n           The DSS did not effectively manage the high risk involved in the\n           integration of the CCMS and its Enterprise System. Those systems had\n           significant limitations and were insufficiently tested and evaluated for\n           operational effectiveness prior to deployment in October 1998, leading to\n           failures that degraded DSS productivity. As of September 2000, project\n           management had been greatly improved, but high risks remained.\n           Resolution of design problems is continuing and measurements for\n           reliability and maintainability at production objectives are still needed.\n           In addition, DoD will need to consider alternative business solutions\n           before making further decisions on the future system architecture.\n\nMandatory Guidance\n    The Clinger-Cohen Act of 1996, Office of Management and Budget Circulars,\n    and DoD guidance for systems acquisition emphasize the importance of risk\n    management when DoD organizations acquire information technology systems.\n    Appendix B contains acquisition guidance for information technology systems.\n\nProgram Risk\n    Before deploying the CCMS in October 1998, DSS did not appreciate the\n    technical and acquisition challenges involved with developing and deploying an\n    information technology system with multiple interfaces. DSS did not implement\n    effective risk management measures when it decided to become the system\n    acquisition integrator and program manager for the Enterprise System. Further,\n    despite the key role of the CCMS in DSS operations that support virtually all\n    DoD critical missions, minimal acquisition oversight and guidance was provided\n    or offered by the Assistant Secretary of Defense (Command, Control,\n    Communications, and Intelligence). Also, DSS did not research and analyze\n    alternative business processes to determine whether the DSS automated business\n    function was the most cost-efficient and cost-effective solution for opening,\n    tracking, and closing personnel security investigation cases prior to the\n    development of the CCMS.\n\n    Technical Challenges. The Enterprise System deployed by the DSS in\n    October 1998 had significant design limitations. The Enterprise System is a\n    combination of linked internal and external information technology subsystems,\n    many of which are derived from commercial-off-the-shelf hardware and\n    software products. Specifically, CCMS, as the project management component\n    of the Enterprise System, cannot open, track, or close investigation cases if the\n    applications for workflow, scanning and printing, and interface links to the\n    Defense Clearance and Investigations Index and corporate database do not\n    function properly. Appendixes C and D provide a description of the Enterprise\n    System and a diagram of the Enterprise System process.\n\n\n                                        3\n\x0c        Workflow. The sole-source acquisition and deployment of \xe2\x80\x9cDocumetrix\nWorkmanager,\xe2\x80\x9d a commercial-off-the-shelf workflow application, proved to be a\nhigh-risk endeavor. \xe2\x80\x9cDocumetrix Workmanager\xe2\x80\x9d required over 400 tasks to be\nsequentially accomplished before a personnel security investigation could be\nclosed. When DSS deployed its Enterprise System, the sequential processing\nroutine limited CCMS processing efficiency. Case analysts could not access the\nsystem to open investigation cases and define the work required. The DSS\nIntegrated Process Team found that the CCMS with \xe2\x80\x9cDocumetrix Workmanager\xe2\x80\x9d\nwas taking four times longer to process cases than the paper-intensive process it\nreplaced. A TRW, Inc., report described the \xe2\x80\x9cDocumetrix Workmanager\xe2\x80\x9d as a\nmajor cause of CCMS inefficiency and operational problems.\n\n       Files Automation and Scanning Subsystem. The Files Automation and\nScanning Subsystem, a commercial-off-the-shelf acquisition of hardware and\nsoftware applications, also proved to be high risk. The Files Automation and\nScanning Subsystem electronically passes paper and microfiche images to the CCMS\napplications for case openings and makes adjudication reports after case closures.\n\nHowever, when DSS deployed the Enterprise System, the Files Automation and\nScanning Subsystem failed to demonstrate operational effectiveness and reliability.\nThe quality of electronic images passed to the CCMS was inconsistent and\nadjudication report processing was untimely. Further, DSS was aware of the\nscanning and printing anomalies. A list of more than 40 unresolved efficiency\nand reliability issues were submitted to the development contractor before the\nEnterprise System was deployed. As a result, when DSS went to a paperless\noperation, microfiche scans often had to be repeated. In addition, adjudication\nreports took an average of 9 weeks to print after case analysts closed the cases.\n\n        Defense Clearance and Investigations Index. After deploying the\nEnterprise System, DSS discovered that user access to and from the Defense\nClearance and Investigations Index was being impeded. The Index could not\nprocess user clearance queries because the CCMS workflow application would\ncontinually return to the Index database searching for previously queried\nrecords. As a result, traffic to and from the Index increased and subsequently\ntaxed the Index\xe2\x80\x99s ability to respond to customers\xe2\x80\x99 demands for information.\n\n       DSS Corporate Database. On June 29, 2000, the Enterprise System\nwas shut down when a corporate database table reached its maximum capacity.\nThe cause of the shutdown was a design limitation, because tables in the\ndatabase could not exceed 4 million blocks of records. The DSS and the Air\nForce Program Manager were unaware of the block sizing limitation. The Air\nForce Program Manager and support contractors resolved the problem and\noperations were resumed on July 10, 2000.\n\nProgram Management. In developing and deploying the Enterprise System,\nDSS did not follow the systems acquisition guidance of the Office of\nManagement and Budget and DoD addressing risk avoidance, reduction, and\nacceptance. Although analyses and plans concluded that the Enterprise System\nwas a complex acquisition and involved risks, DSS personnel were not prepared\nto assume system acquisition management and integration responsibilities.\n\n\n\n                                    4\n\x0c                  Analyses and Designs. Systems analyses and designs prepared in 1989\n           and 1994 identified the risks involved in the development of the CCMS and\n           Enterprise System. In a May 1989 functional analysis document, a contractor\n           described the CCMS and the Enterprise System as a large complex system that\n           would take several years to develop and implement, and that database storage\n           planning and design would be key elements that would affect the performance of\n           Defense Investigative Service2-maintained databases. Further, the contractor\n           recommended that the Defense Investigative Service include integration testing\n           and parallel processing to mitigate risk.\n\n           The Defense Investigative Service\xe2\x80\x99s Strategic Implementation Plan, prepared in\n           April 1994, described the CCMS case opening, tracking, and closing\n           modernization as a massive development effort that far exceeded the\n           Government\xe2\x80\x99s capability. Also, a Defense Investigative Service technical report\n           described the modernization effort as a complex undertaking that should be\n           incrementally acquired.\n\n                  System Acquisition. Office of Management and Budget Circular A-109,\n           \xe2\x80\x9cMajor Systems Acquisitions,\xe2\x80\x9d April 1976, implemented by DoD\n           Directive 5000.1, \xe2\x80\x9cDefense Acquisition,\xe2\x80\x9d March 15, 1996, requires that\n           agencies engage skilled and experienced acquisition program managers for\n           system solutions. Selected personnel should be knowledgeable in research and\n           development, operations, engineering, testing, construction, contracting,\n           prototyping, production, business, budgeting, and finance.\n\n           Further, the Circular provides seven objectives for managing systems acquisitions\n           for avoiding, reducing, and accepting risks. Five of the seven objectives concern\n           management controls. Specifically, acquiring organizations should:\n\n                   \xe2\x80\xa2    provide solutions that fulfill a mission need, operate effectively in\n                        intended environments, and demonstrate levels of performance and\n                        reliability that justify the investments,\n\n                   \xe2\x80\xa2    provide strong checks and balances by ensuring adequate system tests\n                        and evaluations, and conduct tests and evaluations independent of\n                        developers and users where practicable,\n\n                   \xe2\x80\xa2    accomplish acquisition planning resulting from clear articulations of\n                        agency mission needs,\n\n                   \xe2\x80\xa2    develop acquisition strategies that include test and evaluation criteria,\n                        methods for obtaining and sustaining competition in contracting, and\n                        methods for analyzing risks, and\n\n                   \xe2\x80\xa2    maintain capabilities to predict, review, assess, negotiate, and monitor\n                        life-cycle costs, assess experience against predictions, and report\n                        results of assessments to agency directors at key decision points.\n\n\n2\n    The Defense Investigative Service was renamed the Defense Security Service in November 1997.\n\n\n\n                                                    5\n\x0cManagement Skills and Experience. Despite having been warned that its\nproposed information technology system for managing personnel security\ninvestigations was high risk, DSS developed the system without researching and\nanalyzing whether alternative functional solutions for opening, tracking, and\nclosing investigation cases existed for its business process. Assuming program\nmanagement and systems integration responsibilities for the information\ntechnology acquisition, DSS did succeed in assembling a workable product.\nHowever, the product obtained with Government-wide acquisition contracts from\nhardware and software contractors was flawed, and according to TRW, Inc.,\n\xe2\x80\x9cAt best, the DSS Enterprise System is a working prototype.\xe2\x80\x9d\n\nAs the system program manager and integrator, DSS personnel did not have the\nrequisite training or experience in acquiring and integrating automated information\nsystems. The design, reliability, and maintainability discrepancies discovered\nafter the system was deployed can be traced to personnel lacking experience and\nskills in research and development, operations, engineering, testing, construction,\ncontracting, prototyping, production, business, budgeting, and finance. Such\nskills are obtained through structured classroom and on-the-job training. As\nconcluded by TRW, Inc., \xe2\x80\x9cOverall, [CCMS] looks like a business example for\nhow not to do a system acquisition.\xe2\x80\x9d\n\n       Test and Evaluation. DSS did not stress test the CCMS and the\nEnterprise System for opening, tracking, and closing investigation cases before\ndeploying it. Specifically, DSS did not deliberately try to \xe2\x80\x9ccrash\xe2\x80\x9d the system to\ndetermine its threshold limits and did not perform prolonged operational tests to\ndetermine system reliability and maintainability.\n\nTests conducted prior to system deployment demonstrated only the functionality\nof the CCMS and the Enterprise System and did not demonstrate its\neffectiveness and suitability in an operational environment. As a result, DSS\ndid not identify unknown defects, such as the inaccessibility of the Defense\nClearance and Investigations Index and the limitations of sequential processing.\nFurther, DSS could not project the extent of known design limitations with the\nFiles Automation and Scanning Subsystem and the corporate database.\n\n        Life-Cycle Costing. DSS did not cost out the phases of the Enterprise\nSystem acquisition from development through disposal. Planned functions and\ntasks were not identified by fiscal years over the system\xe2\x80\x99s acquisition life. As a\nresult, funds for acquiring the Enterprise System did not translate operational\nneeds and requirements into an information technology solution or identify\nresources for operating and maintaining the deployed system.\n\n        Project Monitoring. DSS did not monitor the CCMS and Enterprise\nSystem acquisition to review, assess, predict, and report results. Without a\nlife-cycle baseline for the system\xe2\x80\x99s acquisition phases, cost, schedule, and\nperformance comparisons for measuring progress, computing deviations, and\nprojecting results could not be determined.\n\n\n\n\n                                     6\n\x0c           DSS measured progress in acquiring the CCMS and the Enterprise System\n           based on fiscal year resources and obligated funds. The CCMS and the\n           Enterprise System could not be tested and evaluated in an operational\n           environment for effectiveness and suitability because available funds were not\n           programmed for a test facility.\n\n                   Documentation. DSS deployed the CCMS and the Enterprise System\n           without testing the design configuration and operating documentation. By not\n           conducting prolonged operational tests and evaluations to determine whether the\n           automated information systems could be safely recovered and returned to service\n           after failures, DSS did not know whether the systems could be suitably\n           maintained. The TRW, Inc., report stated that it was \xe2\x80\x9cimperative\xe2\x80\x9d for DSS to\n           develop an operations plan for resolving system bottlenecks and identifying\n           sources of inefficiencies and malfunctions.\n           TRW, Inc., also identified additional program baseline documentation required\n           for effectively and efficiently maintaining and sustaining the CCMS and the\n           Enterprise System. Specifically, TRW, Inc., indicated that reports and analyses\n           were needed to address concept of operations, system requirements\n           specifications, interface control definitions and maintenance plans.\n\nProgram Oversight\n           The Clinger-Cohen Act requires Chief Information Officers to monitor and\n           evaluate the performance of information technology programs and advise the\n           heads of agencies whether to continue, modify, or terminate a program. The\n           Office of Assistant Secretary of Defense (Command, Control, Communications,\n           and Intelligence), the DoD Chief Information Officer, did not actively\n           participate in the acquisition of the DSS Enterprise System because costs of the\n           investment fell below cost thresholds3 established for classification as a major\n           automated information system. In addition, as the Principal Staff Assistant\n           responsible for the development, oversight, and integration of DoD policies and\n           programs relating to security, the Office of the Assistant Secretary of Defense\n           (Command, Control, Communications, and Intelligence) should have exercised\n           acquisition oversight over DSS and chose not to do so. As a result, DSS was\n           allowed to develop, deploy, and operate the CCMS and the Enterprise System\n           for personnel security investigations without the benefit of program oversight\n           and guidance.\n\n\n\n\n3\n    Major automated information systems are estimated to require program costs in any single year in excess\n    of $30 million (FY 1996 constant dollars), and total program costs in excess of $120 million (FY 1996\n    constant dollars), or total life-cycle costs in excess of $360 million (FY 1996 constant dollars).\n\n\n\n                                                      7\n\x0c           Since March 1999, the Assistant Secretary of Defense (Command, Control,\n           Communications, and Intelligence) has been more proactively involved with the\n           DSS information technology acquisition. The Assistant Secretary planned to\n           subject the DSS Enterprise System to DoD Directive 5000.1 acquisition\n           guidance by designating it as a major automated information systems acquisition\n           when he releases the revised list of designated major automated information\n           system acquisition and special interest initiative programs.\n\nPrior Report Recommendations\n           Recommendations from the Air Force/MITRE Red Team4 and a report from\n           TRW, Inc., ranged from establishing a program management office to system\n           replacement and maintenance. Ranked by short-term and long-term significance,\n           DSS was using these recommendations for follow-up and progress reporting on\n           the General Accounting Office report\xe2\x80\x99s5 recommendation to correct the CCMS.\n           See Appendix E for the TRW, Inc., recommended actions and the progress DSS\n           made in addressing them. In addition, DSS processed a CCMS change request to\n           account for security investigations from request to case closure as a result of\n           Inspector General, DoD, Report No. D-2000-134, \xe2\x80\x9cTracking Security Clearance\n           Requests,\xe2\x80\x9d May 30, 2000.\n\nManagement Activities\n           Following the Red Team and TRW, Inc., recommendations, DSS began\n           modifying its deployed automated information systems and baselining its system\n           acquisition for Clinger-Cohen Act certification by the DoD Chief Information\n           Officer. Since the Air Force and its contractors assumed program and\n           functional responsibilities for the Enterprise System, DSS has made production\n           advances in achieving its performance goal of closing more than 50,000\n           investigations per month. From December 1999 through June 2000, case\n           closure rates increased from 19,561 to 38,374 investigations per month.\n\n           However, design limitations exist and demonstrated reliability and\n           maintainability at planned production goals remain to be determined. The Files\n           Automation and Scanning Subsystem improvements still require continuous\n           human supervision for processing and printing paper documents. Also, the\n           corporate database could shut down the DSS Enterprise System if closed\n           investigations cases are not removed and archived. Further, closed\n           investigations remaining in the database affect case processing efficiency by\n           extending time required for opening, tracking, and closing active investigations.\n\n           Although DSS was aware of the corporate database design limitation when the\n           Enterprise System was deployed, DSS did not consider it a high priority.\n\n4\n    Air Force/MITRE Red Team report, \xe2\x80\x9cRed Team Recommendations-Transition Ahead,\xe2\x80\x9d July 14, 1999.\n5\n    General Accounting Office Report No. NSIAD-00-12, \xe2\x80\x9cInadequate Personnel Security Investigations\n    Pose National Security Risks,\xe2\x80\x9d October 27, 1999.\n\n\n\n                                                    8\n\x0c     However, as the cases processed increase, the database design limitation\n     becomes an increasing concern. For example, the number of cases in process\n     on June 30, 2000, was 433,620 compared to 337,378 on December 31, 1999.\n     Further, the number of cases in process for more than 360 days was 69,260 on\n     June 30, 2000, compared to 14,242 on December 31, 1999.\n\n     As of April 2000, the corporate database contained 26 million records for\n     opened and closed cases. System efficiency could be significantly increased if\n     inactive records populating the database could be removed and archived. DSS\n     and the Air Force Program Management Office are aggressively taking action\n     to reduce the records in the Enterprise System\xe2\x80\x99s corporate database. The Air\n     Force Program Management Office estimates that 25 million records could be\n     removed from the corporate database and archived.\n\nAnalysis of Alternatives\n     The Air Force Program Management Office developed a phased acquisition\n     strategy for maintaining and modernizing the CCMS and Enterprise System.\n     The strategy involved introducing product improvements that will incrementally\n     migrate it to an improved system architecture from FY 2002 through FY 2008.\n     The strategy did not include an analysis of alternatives because the Air Force\n     Program Management Office assumed that the business function for opening,\n     tracking, and closing investigation cases would remain a DSS mission\n     responsibility.\n\n     Clinger-Cohen Act. Public Law 104-106, Division E, \xe2\x80\x9cClinger-Cohen Act,\xe2\x80\x9d\n     sections 5113 and 5123, \xe2\x80\x9cPerformance and Results-Based Management,\xe2\x80\x9d\n     requires agency heads to make decisions that affect information technology\n     investments. Before investing in a new information system, heads of each\n     executive agency are to determine whether the function in need of automation\n     should be performed by the executive agency and, if so, whether the function\n     should be performed by a private sector source under contract or by executive\n     agency personnel. Also, the Act requires that agency heads analyze missions\n     and, based on the analysis, revise mission-related processes and administrative\n     processes, as appropriate, before making significant investments in information\n     technology.\n\n     Other Investigative Sources. Alternative automated business processes for\n     managing personnel investigations may exist for opening, tracking, and closing\n     personnel investigation cases. DSS plans to outsource more than 1 million\n     requests for security investigation cases, or 30 percent of its estimated\n     workload, to the Office of Personnel Management and private-sector contractors\n     between FY 2000 and FY 2003. Although DSS will maintain accountability,\n     the forwarded cases will not be opened and tracked in the CCMS and the\n     Enterprise System. The Office of Personnel Management and the private-sector\n     contractors will be responsible for managing the case investigations they receive\n     and for maintaining project management systems for opening, tracking, and\n     closing assigned cases.\n\n\n\n\n                                         9\n\x0c           Because alternative business processes for managing personnel investigations\n           will be employed by the Office of Personnel Management and private-sector\n           contractors, we believe the Assistant Secretary of Defense (Command, Control,\n           Communications, and Intelligence) and DSS should reassess whether the CCMS\n           and the Enterprise System provide the most efficient and effective business\n           solution. DoD personnel security clearance requirements that drive DSS\n           workload investigation cases have been addressed by an integrated product team\n           established by the Deputy Secretary of Defense to review the DoD personnel\n           security investigation process. Alternative solutions have also been discussed at\n           meetings with Government and contractor personnel familiar with the business\n           process. Further, the Deputy Assistant Secretary of Defense for Security and\n           Information Operations stated before a congressional subcommittee that\n           alternatives would be analyzed before DoD commits to a future architecture. 6\n           However, we found no indication of formal in-depth analysis of alternatives.\n\nConclusion\n           DSS deployed the CCMS and its Enterprise System for opening, tracking, and\n           closing investigation cases in October 1998 without first demonstrating system\n           operational effectiveness and suitability. By not managing risks with\n           accountable links to program definition, structure, design, assessments and\n           reports, and oversight decision reviews, DSS acquired the CCMS and the\n           Enterprise System with known and unknown design, reliability, and\n           maintainability limitations. As of September 2000, DSS and the Air Force\n           Program Management Office had restored system acquisition discipline.\n           However, design inefficiencies still exist, and reliability and maintainability at\n           planned production objectives still need to be demonstrated.\n\n           The Assistant Secretary of Defense (Command, Control, Communications, and\n           Intelligence) plan to designate the CCMS and the Enterprise System as a Major\n           Automated Information System is a positive development. Further, the Deputy\n           Assistant Secretary of Defense for Security and Information Operations\n           indicated that alternatives would be analyzed before DoD commits to a future\n           architecture. Action is needed now to lay groundwork for future decisions that\n           need to consider alternatives for the CCMS and the Enterprise System target\n           architecture. Because alternative Government and private-sector systems exist\n           that may provide efficient and effective solutions for opening, tracking, and\n           closing investigation cases, the target architecture needs to be reassessed to\n           determine its validity.\n\n\n\n\n6\n    Testimony to the Subcommittee on National Security, Veterans Affairs, and International Relations,\n    House Committee on Government Reform, September 20, 2000.\n\n\n\n                                                     10\n\x0cRecommendation, Management Comments, and Audit\n  Response\n    We recommend that the Assistant Secretary of Defense (Command,\n    Control, Communications, and Intelligence) and the Director, Defense\n    Security Service, prior to making further decisions on the future system\n    architecture, analyze whether the investment for the Case Control\n    Management System and the Enterprise System provides the best business\n    solution when compared to alternative solutions for opening, tracking, and\n    closing personnel investigation cases.\n\n    Management Comments. The Assistant Secretary of Defense (Command,\n    Control, Communications, and Intelligence) and the Director, Defense Security\n    Service, concurred with the recommendation. In addition, The Director attached a\n    matrix to his comments with suggested editorial corrections to the report.\n\n    Audit Response. The Assistant Secretary of Defense (Command, Control,\n    Communications, and Intelligence) and the Defense Security Service comments\n    were positive, but incomplete. The comments did not specifically address\n    corrective actions taken or planned, dates of actions taken, and estimated\n    completion dates of planned actions for implementing the recommendation.\n    Therefore, to facilitate the followup tracking that is required by DoD\n    Directive 7650.3, we request that both the Assistant Secretary of Defense and\n    the Director, Defense Security Service, provide additional management\n    comments by January 18, 2001. The text of the management comments is in the\n    Management Comments section. However, a matrix attached to the Director\xe2\x80\x99s\n    comments was not included in the final report because the suggested changes did\n    not affect the results and conclusions of the audit.\n\n\n\n\n                                      11\n\x0cAppendix A. Audit Process\n\nScope\n    Work Performed. We conducted this program audit from April 2000 through\n    August 2000 and reviewed documentation dated from May 1989 through\n    August 2000. To accomplish the audit objective we:\n\n           \xe2\x80\xa2   interviewed officials and obtained documentation from the offices of\n               the Assistant Secretary of Defense (Command, Control,\n               Communications, and Intelligence); the Director, DSS; cognizant\n               officials and personnel involved in the acquisition and operation of\n               the CCMS and the DSS Enterprise System; the Air Force Program\n               Management Office; and contractor personnel;\n\n           \xe2\x80\xa2   reviewed available documents covering program requirements,\n               program definition, program assessments and decision reviews,\n               periodic reporting, and program management and oversight;\n\n           \xe2\x80\xa2   reviewed ongoing and completed work correcting the deficiencies\n               addressed in the General Accounting Office\xe2\x80\x99s October 1999 report,\n               \xe2\x80\x9cInadequate Personnel Security Investigations Pose National Security\n               Risks;\xe2\x80\x9d and\n\n           \xe2\x80\xa2   evaluated the adequacy of management controls related to CCMS and\n               DSS information technology acquisitions.\n\n    DoD-Wide Corporate Level Government Performance and Results Act\n    Coverage. In response to the Government Performance and Results Act, the\n    Secretary of Defense annually establishes DoD-wide corporate level goals,\n    subordinate performance goals, and performance measures. This report pertains\n    to achievement of the following goal, subordinate performance goals, and\n    performance measure:\n\n    FY 2001 DoD Corporate Level Goal 2: Prepare now for an uncertain future\n    by pursuing a focused modernization effort that maintains U.S. qualitative\n    superiority in key warfighting capabilities. Transform the force by exploiting\n    the Revolution in Military Affairs, and reengineer the Department to achieve a\n    21st century infrastructure. (01-DoD-2)\n\n           \xe2\x80\xa2   FY 2001 Subordinate Performance Goal 2.3: Streamline the DoD\n               infrastructure by redesigning the Department\xe2\x80\x99s support structure and\n               pursuing business practice reforms. (01-DoD-2.3)\n           \xe2\x80\xa2   FY 2001 Subordinate Performance Goal 2.5: Improve DoD\n               financial and information management. (01-DoD-2.5)\n                   Performance Measure 2.5.3: Qualitative Assessment of\n                   Reforming Information Technology Management. (01-DoD-2.5.3)\n\n\n                                       12\n\x0c    DoD Functional Area Reform Goals. Most major DoD functional areas have also\n    established performance improvement reform objectives and goals. This report\n    pertains to achievement of the following functional area objectives and goals:\n\n           Information Technology Management Functional Area.\n           \xe2\x80\xa2 Objective. Become a mission partner.\n              Goal. Serve mission information users as customers. (ITM 2.1)\n\n           \xe2\x80\xa2   Objective. Provide services that satisfy customer information needs.\n               Goal. Build architecture and performance infrastructures. (ITM 2.1)\n               Goal. Improve information technology management tools. (ITM-2.4)\n    General Accounting Office High-Risk Area. The General Accounting Office\n    has identified several high-risk areas in the DoD. This report provides coverage\n    of the Information Management and Technology high-risk area.\n\nMethodology\n    We conducted this program audit in accordance with auditing standards issued\n    by the Comptroller of the United States, as implemented by the Inspector\n    General, DoD. Accordingly, we included tests of management controls\n    considered necessary. We did not use computer-processed information to\n    perform this audit.\n\n    Contacts During the Audit. We visited or contacted individuals and\n    organizations within and outside DoD. Further details are available upon\n    request.\n\nManagement Control Program Review\n    DoD Directive 5010.38, \xe2\x80\x9cManagement Control (MC) Program,\xe2\x80\x9d\n    August 26, 1996, and DoD Instruction 5010.40, \xe2\x80\x9cManagement Control (MC)\n    Program Procedures,\xe2\x80\x9d August 28, 1996, require DoD organizations to\n    implement a comprehensive system of management controls that provides\n    reasonable assurance that programs are operating as intended and to evaluate the\n    adequacy of the controls.\n\n\n\n\n                                       13\n\x0c    Scope of the Review of the Management Control Program. In accordance\n    with DoD Directive 5000.1, \xe2\x80\x9cDefense Acquisition,\xe2\x80\x9d March 15, 1996, and\n    DoD 5000.2-R, \xe2\x80\x9cMandatory Procedures for Major Defense Acquisition\n    Programs (MDAPs) and Major Automated Information System (MAIS)\n    Acquisition Programs,\xe2\x80\x9d March 15, 1996, acquisition managers are to apply\n    program cost, schedule, and performance parameters to control objectives for\n    implementing DoD Directive 5010.38 requirements. Accordingly, we limited\n    our review to management controls directly related to the acquisition of the\n    CCMS and the DSS Enterprise System. We also reviewed management\xe2\x80\x99s\n    self-evaluation of management controls applicable to the acquisition of DSS\n    information technology.\n\n    Adequacy of the Management Controls. Management controls were\n    inadequate for the acquisition of the CCMS and the DSS Enterprise System.\n    The control problems identified in this report, as they relate to the initial system\n    deployment, were addressed by the DSS partnership with the Air Force and the\n    Assistant Secretary of Defense (Command, Control, Communications, and\n    Intelligence) plan to designate the DSS Enterprise System as a Major Automated\n    Information System. However, as reported in the DSS Federal Managers\xe2\x80\x99\n    Financial Integrity Act Annual Statement of Assurance for FYs 1999 and 2000,\n    DSS should continue reporting personnel security investigations as a material\n    management control weakness until all overdue security clearances requiring\n    reinvestigation are eliminated.\n\n    Adequacy of Management\xe2\x80\x99s Self-Evaluation. As part of the corrective action\n    taken in response to the General Accounting Office audit, DSS developed an\n    inventory of management control assessable units and recognized information\n    technology as a major management control assessable unit. Risk assessments\n    were completed and the DSS was reviewing them to develop a plan for\n    conducting evaluations.\n\nPrior Coverage\n    During the last 5 years, the General Accounting Office issued one report on\n    security clearance background investigations. Also, three other groups issued\n    reports specifically addressing the CCMS and Enterprise System.\n\n    \xe2\x80\xa2   General Accounting Office Report No. NSIAD-00-12 (OSD Case No. 1901),\n        \xe2\x80\x9cInadequate Personnel Security Investigations Pose National Security Risks,\xe2\x80\x9d\n        October 27, 1999\n\n    \xe2\x80\xa2   TRW, Inc., Systems Integration Group, Final Report, \xe2\x80\x9cTRW\xe2\x80\x99s Evaluation\n        of DSS CCMS,\xe2\x80\x9d July 21, 1999\n\n    \xe2\x80\xa2   Air Force/MITRE Red Team report, \xe2\x80\x9cRed Team Recommendations-\n        Transition Ahead,\xe2\x80\x9d July 14, 1999\n\n    \xe2\x80\xa2   DSS Integrated Program Team Report, \xe2\x80\x9cA Near-Term Strategy to Correct\n        Deficiencies in the Enterprise System,\xe2\x80\x9d May 1999\n\n\n\n                                         14\n\x0cAppendix B. Acquisition Guidance\n    The Clinger-Cohen Act of 1996, Office of Management and Budget Circulars,\n    and DoD guidance for systems acquisitions emphasize the importance of risk\n    management when addressing policies and procedures for system and\n    information technology acquisitions.\n\nClinger-Cohen Act of 1996\n    The Clinger-Cohen Act of 1996 requires agencies to design and implement a\n    process for assessing and managing the risks of information technology\n    acquisitions to include analyzing, tracking, evaluating, and reporting on risks\n    and results of all major information technology capital investments.\n\nOffice of Management and Budget Circulars\n    Circular A-109. Circular A-109, \xe2\x80\x9cMajor Systems Acquisitions,\xe2\x80\x9d April 1976,\n    provides acquisition management objectives and a management structure that\n    agencies should follow to ensure the effectiveness and efficiency of the\n    acquisition process.\n\n    Circular A-130. Circular A-130, \xe2\x80\x9cManagement of Federal Information\n    Resources,\xe2\x80\x9d February 8, 1996, requires agencies to establish management\n    oversight mechanisms that determine whether the system continues to fulfill\n    mission requirements and to ensure that major information systems proceed in\n    a timely fashion towards agreed-upon milestones.\n\nDoD Guidance\n    DoD Directive 5000.1. DoD Directive 5000.1, \xe2\x80\x9cDefense Acquisition,\xe2\x80\x9d\n    March 15, 1996, establishes a disciplined, yet flexible, management approach\n    for acquiring quality products. The Directive emphasizes that rigorous internal\n    management control systems are integral elements of effective and accountable\n    program management and that material management control weaknesses are\n    identified through deviations from approved system acquisition program\n    baselines.\n\n    DoD Directive 8000.1. DoD Directive 8000.1, \xe2\x80\x9cDefense Information\n    Management (IM) Program,\xe2\x80\x9d October 27, 1992, establishes policy and assigns\n    responsibilities for the implementation, execution, and oversight of the\n    Defense Information Management Program. The Directive requires a\n    disciplined life-cycle approach to manage information systems to effectively\n    execute DoD missions.\n\n\n\n\n                                        15\n\x0cDoD Regulation 5000.2-R. DoD Regulation 5000.2-R, \xe2\x80\x9cMandatory\nProcedures for Major Defense Acquisition Programs (MDAPs) and Major\nAutomated Information Systems (MAIS) Acquisition Programs,\xe2\x80\x9d\nMarch 15, 1996, requires every system acquisition program to establish cost,\nschedule, and performance objectives and thresholds at system acquisition\nprogram initiation. The Regulation also requires that program managers use a\nmanagement process to translate operational needs and requirements into a\nsystem solution with accountable links to program definition, structure, design,\nassessments and reports, and oversight decision reviews.\n\n\n\n\n                                   16\n\x0cAppendix C. Components of the Enterprise\n            System\n    The following subsections provide an overview of each component of the DSS\n    Enterprise System.\n\nCase Control Management System\n    The CCMS is the centerpiece of the overall DSS Enterprise System. As the\n    Enterprise System\xe2\x80\x99s guidance and control element, the CCMS provides the\n    means for collecting and disseminating personnel investigation data. The\n    CCMS automated the paper-intensive, manual activities performed by the DSS\n    Operations Centers, Baltimore, Maryland, and Columbus, Ohio. CCMS\n    receives, stores, and acts upon personnel security requests, such as personnel\n    security updates and requests for investigation. Investigation requests require a\n    scope determination on whether to proceed with a field investigation. If an\n    investigation is necessary, CCMS automatically opens a case and generates the\n    required leads. CCMS provides personnel security analysts with the required\n    tools to manage personnel security actions and investigations. The CCMS and\n    the DSS Enterprise System consist of a central corporate database and an\n    automated case workflow process that feeds information into the CCMS through\n    several interface connections.\n\nFiles Automation and Scanning Subsystem\n    The Files Automation and Scanning Subsystem is the second largest element of\n    the DSS Enterprise System and manages documents that are maintained in the\n    DSS corporate database. Paper and microfiche documents are scanned,\n    converted to electronic image files, and stored on magnetic drives referred to as\n    the Files Automation and Scanning Subsystem towers. Once the documents are\n    on the towers, DSS personnel, using CCMS and Files Automation and Scanning\n    Subsystem applications, can access them. The Files Automation and Scanning\n    Subsystem also provides a distribution subsystem, forms processing subsystem,\n    and a backup subsystem. The distribution subsystem creates reports containing\n    discrete data from the DSS corporate database and Files Automation and\n    Scanning Subsystem image files and distributes them on several mediums:\n    internet web sites, facsimile, paper, and computer output to microfiche. The\n    forms processing subsystem provides forms recognition and data entry to\n    convert paper forms to discrete data that can be stored in the corporate database.\n\n\n\n\n                                        17\n\x0cDefense Clearance and Investigations Index System\n     The Defense Clearance and Investigations Index system provides a central index\n     of clearance and investigative information originated by authorized DoD\n     agencies. An Internet web forms version, an Internet dynamic version, and a\n     system client-server version of the application provide the information. The\n     Defense Clearance and Investigations Index supplies information on people,\n     companies or events, and associated tracings to authorized agencies. These\n     agencies include:\n             \xe2\x80\xa2 United States Military (Army, Navy, Air Force, and Coast Guard)\n             \xe2\x80\xa2 National Security Agency\n             \xe2\x80\xa2 Defense Security Service\n             \xe2\x80\xa2 Inspector General, DoD\n             \xe2\x80\xa2 Defense Office of Hearings and Appeals\n             \xe2\x80\xa2 Defense Logistics Agency\n             \xe2\x80\xa2 Washington Headquarters Service\n             \xe2\x80\xa2 Defense Intelligence Agency\n\n     Other agencies (some outside DoD) also have access to the Defense Clearance\n     and Investigations Index system. Overall, there are approximately 2700 users of\n     the Defense Clearance and Investigations Index system worldwide. The tracings\n     include dossiers, aliases, national agency checks, and personal clearances.\n     Authorized users can perform a variety of functions including query, add,\n     delete, update, and print. In addition, users can request statistical, file demand,\n     batch error, and the Defense Clearance and Investigations Index Disclosure\n     Accounting System reports.\n\nIndustrial Security System\n     The Industrial Security System assists in monitoring DoD contractors who have\n     access to classified information and tracks the issuance, maintenance, and\n     management of contractor clearances. The Industrial Security System, a\n     UNIX-based Oracle database application, uses tables within the DSS corporate\n     database. The Industrial Security System provides industrial security representatives\n     and others with proper access privileges to data on cleared and uncleared DoD\n     contractor facilities. The data enable DSS to track the security clearances of Defense\n     contractors and to measure the performance of industrial security representatives.\n     The Industrial Security System is comprised of the Industrial Security System\n     Central, an application with the DSS corporate database, and the Industrial Security\n     System Field, an application residing on a desktop or notebook computer using a\n     Microsoft Access database. Industrial security representatives fax or email facility\n     database changes to the DSS Defense Industrial Security Clearance Office and use\n     the Industrial Security System Central update function to make additions, changes, or\n     deletions of the facility database in the corporate database.\n\n\n                                         18\n\x0cElectronic Personnel Security Questionnaire System\n     The Electronic Personnel Security Questionnaire System simplifies the\n     information reporting process required to conduct background investigations.\n     The function of Electronic Personnel Security Questionnaire is to streamline the\n     data-gathering process so that complete and accurate information is collected\n     and validated rapidly. The Electronic Personnel Security Questionnaire System\n     is an automated data entry and validation system designed to allow personnel\n     and security officers to quickly and easily enter the data required. The system\n     validates the data, prints copies of the appropriate forms, and generates export\n     diskettes for the security officer. The Electronic Personnel Security\n     Questionnaire was designed specifically to eliminate rejection of incomplete or\n     inaccurate investigation requests. Features in the Electronic Personnel Security\n     Questionnaire notify users when the information is mandatory and what the\n     format should be. Security officers do not submit personnel information for\n     processing until the Electronic Personnel Security Questionnaire is error free\n     and complete.\n\nAutomated Credit Manager System\n     The Automated Credit Manager system uses telephone modem connections to\n     the three commercial credit reporting agencies. The Automated Credit Manager\n     system is used to gather credit report information, which is regularly requested\n     as part of the security clearance investigation process, on individuals under\n     investigation. The Automated Credit Manager system transmits credit\n     information requests, receives return credit reports, and places the collected data\n     into the DSS Enterprise System\xe2\x80\x99s corporate database for CCMS processing.\n\nFinancial Crimes Enforcement Network System\n     The Financial Crimes Enforcement Network system application uses the\n     computer supporting the Automated Credit Manager system and a separate\n     dedicated secure modem to run batch queries that conduct automated checks of\n     Financial Crimes Enforcement Network database records. Inquiries are\n     primarily run against the Social Security Numbers of personnel under DSS\n     investigation, but can also be run against names, dates of birth, and partial\n     Social Security Numbers. The Financial Crimes Enforcement Network is a\n     Department of the Treasury organization that provides a Government-wide,\n     multi-source intelligence and analytical network to support the DSS, law\n     enforcement, and regulatory agencies in detection, investigation, and\n     prosecution of financial crimes.\n\n\n\n\n                                         19\n\x0cField Information Management System II\n    The Field Information Management System II is an automated system loaded in\n    field agents\xe2\x80\x99 laptop computers that provides tools to:\n            \xe2\x80\xa2 Create reports of investigation\n            \xe2\x80\xa2 Submit leads and other case data\n            \xe2\x80\xa2 Produce summary reports of case data\n            \xe2\x80\xa2 Obtain data from the Personnel Investigation Center\n            \xe2\x80\xa2 Manage investigative agents\xe2\x80\x99 data and supporting information\n\n    The Field Information Management System II manages the electronic data link\n    used to send and receive data from agent laptops to DSS. The system was\n    created to support DSS regional and field offices in their efforts to process cases\n    as DSS field agents produce them. The Field Information Management System II\n    allows data to be transferred between field agents, field offices, regional offices,\n    and the DSS Personnel Investigation Center located in the Operations Center,\n    Baltimore, Maryland.\n\nField Information Management System - Middleware\n    The Field Information Management System-Middleware software application\n    allows CCMS to be used with the Field Information Management System II to\n    convert CCMS-generated leads into Field Information Management System II\n    action lead sheets that can be sent to the field electronically. The Field\n    Information Management System-Middleware also translates incoming\n    electronically transmitted Field Information Management System II reports of\n    investigations into a CCMS-readable format.\n\nFile Control Management System\n    The File Control Management System is a computer application hosted on the\n    CCMS server that allows authorized users to request dossiers from DSS\n    repositories. The File Control Management System also provides the\n    mechanism for a user to input data from paper and telephone requests into its\n    corporate database. The File Control Management System verifies authorized\n    user rights and permissions against tables in the corporate database. When a\n    user demands a file, the File Control Management System checks the corporate\n    database to determine whether a file from the repository has been scanned into\n    electronic form. When a file exists, the File Control Management System\n    interfaces with the Files Automation and Scanning Subsystem to access data\n    relating to the file demand. If the demanded file is not in the Files Automation\n    and Scanning Subsystem repository, a \xe2\x80\x9cpick ticket\xe2\x80\x9d displaying all of the\n    information that is required for a file clerk to pull the microfiche is printed in\n    the DSS Investigative Files Branch. After the file has been scanned, the\n    corporate database is updated and the file demand is processed. The File\n\n\n                                        20\n\x0c     Control Management System - Files Automation and Scanning Subsystem\n     interface allows the Files Automation and Scanning Subsystem to track and\n     monitor the progress of a file demand. User/Agency demands for file data are\n     ultimately captured in the Disclosure Accounting System. The File Control\n     Management System was designed to replace manually routing the paper to\n     different personnel to process a single file demand.\n\nDisclosure Accounting System\n     The Disclosure Accounting System is an automated application hosted on the\n     CCMS server that records file release data and other disclosure information in\n     support of the Privacy Act, the Freedom of Information Act, and personnel at\n     the DSS. The Disclosure Accounting System is run against data as an element\n     of the corporate database and is used by DSS to record the release to DoD and\n     non-DoD agencies of personal information used in DSS Personnel Security\n     Investigations and the Defense Clearance and Investigations Index. The\n     Disclosure Accounting System records who received the information, the reason\n     for release, the releasing DSS office, the type of information released, and the\n     release date. The Disclosure Accounting System database is populated from\n     information passed from the File Control Management System to the Files\n     Automation and Scanning Subsystem and from the Files Automation and\n     Scanning Subsystem to the Disclosure Accounting System.\n\nAuthorized File Requesters\n     The Authorized File Requesters is a database-centered application hosted on the\n     CCMS server that contains a listing of authorized agencies and personnel who\n     may request DSS investigative dossiers. The Authorized File Requesters\xe2\x80\x99\n     application can also be used to run queries to search for a particular agency\n     using a five-digit accreditation account number.\n\nReject Tracking System\n     The Reject Tracking System is an automated computer application hosted on the\n     CCMS server that enables DSS to track paper requests that have been rejected\n     and returned by DSS to requesters prior to their input to the CCMS. The Reject\n     Tracking System application generates notification letters to requesters and\n     identifies all of the deficiencies that caused the request to be rejected. The\n     Reject Tracking System tracks suspense dates on actions requiring followup and\n     also allows for a query capability by Social Security Number.\n\n\n\n\n                                        21\n\x0cUser Community Management System\n     The User Community Management System is an automated application hosted\n     on the CCMS server that is used to grant access permissions and user rights to\n     personnel with a need to access the CCMS and the Enterprise System. The\n     User Community Management System records access to the various DSS\n     automated information systems, and applications in the corporate database.\n\nAutomated Scoping Guide System\n     The Automated Scoping Guide System is a database-centered application hosted on\n     the CCMS server that provides a listing of most communities by zip code and\n     designates which DSS field offices are responsible for investigative work in each\n     area. The application includes remarks sections that clarify scoping responsibilities\n     and other pertinent information about specific communities. The CCMS uses the\n     database information to automatically scope investigations in workflow, and users\n     can access the scoping guide from DSS local area network workstations to\n     manipulate data.\n\nDSS Toolbar\n     The DSS toolbar is a custom Graphical User Interface application that serves as a\n     front end user entry point for accessing all of the applications connected to the DSS\n     corporate database. The Graphical User Interface connects to the DSS-developed\n     User Community Management System and the Commercial-off-the-Shelf Password\n     Manager software program, both of which are resident on the corporate database\n     servers. The Graphical User Interface requires the user to log on to the database\n     with a controlled identification number and password.\n\nLead Reconciliation Tool\n     The Lead Reconciliation Tool is an automated application tool that reconciles the\n     field offices\xe2\x80\x99 databases with the DSS corporate database. The Lead Reconciliation\n     Tool also contains an external gateway File Transfer Protocol script that is run from\n     a desktop workstation and a Lead Reconciliation Tool component field application.\n     The Lead Reconciliation Tool captures pertinent DSS corporate database\n     information at the DSS Operations Center relating to Field Information Management\n     System II-connected field offices and compares case data and statuses with the Field\n     Information Management System II system-generated information. The Lead\n     Reconciliation Tool gateway connects to the Field Information Management\n     System II system and processes pending and closed Lead Reconciliation Tool data\n     and File Transfer Protocol\xe2\x80\x99s consolidated packages of information via a DSS Link\n     connection to each DSS field office operational location. DSS field offices perform\n     data reconciliation, case management, and statistical reporting functions using the\n     field component of the Lead Reconciliation Tool application.\n\n\n\n                                         22\n\x0cInternal File Transfer Protocol Server\n     The DSS Internal File Transfer Protocol Server is a stand-alone, DSS\n     Intranet-connected computer available inside the DSS firewalls for DSS local\n     area network File Transfer Protocol use. Several of the DSS Enterprise System\n     applications use File Transfer Protocol to transfer and handle data files. At\n     DSS, File Transfer Protocol actions are accomplished with manual and\n     automated connections. File Transfer Protocol is a standard protocol that is the\n     simplest way to exchange files between connected computers.\n\nExternal File Transfer Protocol Server\n     The DSS External File Transfer Protocol Server is a stand-alone, DSS\n     Internet-connected computer available outside the DSS firewalls for external\n     File Transfer Protocol use. File Transfer Protocol is a standard protocol that is\n     the simplest way to exchange files between computers connected on the Internet.\n     At DSS, File Transfer Protocol actions are accomplished with manual and\n     automated connections.\n\nExternal Office of Personnel Management Gateway\n     The external Office of Personnel Management gateway is hosted on a computer\n     at DSS that provides a dedicated communications link supporting data exchange\n     between the DSS Defense Clearance and Investigations Index and the Office of\n     Personnel Management\xe2\x80\x99s Security Suitability Investigations Index. Although\n     housed on a separate computer, the gateway is an essential part of the Defense\n     Clearance and Investigations Index and the Security Suitability Investigations\n     Index applications.\n\nExternal Immigration and Naturalization Service Gateway\n     The external Immigration and Naturalization Service gateway is hosted on a\n     computer at DSS that provides a dedicated communications link supporting data\n     exchange between the Immigration and Naturalization Service master index and\n     the DSS corporate database. Immigration and Naturalization Service files\n     contain the location of naturalization certificates, citizenship certificates, visas,\n     records of aliens, and other information that is checked as part of the national\n     agency check process when conducting security investigations. The gateway\n     also supports data exchange for Financial Crimes Enforcement Network\n     information obtained by DSS as a liaison on behalf of the Immigration and\n     Naturalization Service.\n\n\n\n\n                                          23\n\x0cExternal Interface to the Central Intelligence Agency\n     The External Interface to the Central Intelligence Agency is a batch computer\n     application process that involves operator-assisted manual actions and automated\n     computer actions. The application processes file demands created through the\n     Defense Clearance and Investigations Index or the File Control Management\n     System and their related application sub-processes. The Central Intelligence\n     Agency External Interface application results in the creation and reading of a\n     data tape that is either sent to the Central Intelligence Agency or received from\n     the Central Intelligence Agency for processing.\n\nExternal Interface to the Federal Bureau of Investigation\n     The External Interface to the Federal Bureau of Investigation is a batch\n     computer application process that involves operator-assisted manual actions and\n     automated computer actions. The Federal Bureau of Investigation conducts\n     three types of checks for DSS as part of the personnel investigation process.\n     Requests for information come from CCMS leads that generate Federal Bureau\n     of Investigation identification fingerprint card check, name check, and combined\n     name and fingerprint card check requests. The Federal Bureau of Investigation\n     External Interface application results in the creation and reading of a data tape\n     that is either sent to the Federal Bureau of Investigation or received from the\n     Federal Bureau of Investigation for processing.\n\nNavy Joint Adjudication and Clearance System\n     The Navy Joint Adjudication and Clearance System is hosted on the CCMS and\n     Enterprise System server and, in conjunction with the DSS corporate database,\n     contains personnel security data on all Department of the Navy and Marine\n     Corps military and civilian personnel and Coast Guard military personnel. The\n     Navy Joint Adjudication and Clearance System also serves as an internal case\n     management system that supports the day-to-day operations of the Navy\xe2\x80\x99s\n     central adjudication facility. Message traffic generated by the system informs\n     recipient commands on the status of security clearance requests or final results\n     of personnel security determinations. Additionally, the Navy Joint Adjudication\n     and Clearance System provides data management and analysis reports, audit\n     trails, and historical case-tracking information.\n\n\n\n\n                                        24\n\x0cAppendix D. Enterprise System High Level\n            Process View\n\n\n\n\n                         LEGEND\n          CIA    Central Intelligence Agency\n          CCMS   Case Control Management System\n          DCII   Defense Clearance and Investigations Index\n          DM     Document Management\n          DS     Device Server\n          EI     External Interface\n          EPSQ   Electronic Personnel Security Questionnaire\n          FASS   Files Automation and Scanning Subsystem\n          FBI    Federal Bureau of Investigation\n          FIMS   Field Information Management System\n          ISS    Industrial Security System\n          RFA    Report for Adjudication\n          WFS    Workflow Server\n          WFU    Workflow User\n\n\n\n\n                            25\n\x0cAppendix E. Status of TRW Inc., Recommendations\n            by Priority Ranking\nPriority      TRW Recommendations                                               Status\n   1.         Establish and operate a program management office organization   Complete\n   2.         Manage CCMS recover and sustainment                              Complete\n   3.         Manage replacement systems acquisition                           In-Progress\n   4.         Institute formal flow control of the CCMS Workflow tool          In-Progress\n   5.         Develop a more appropriate year 2000 test environment            Complete\n   6.         Upgrade infrastructure baseline                                  In-Progress\n   7.         Upgrade and/or replace workflow product                          In-Progress\n   8.         Develop concept of operations and requirements specification     In-Progress\n              documents\n   9.         Eliminate the use of \xe2\x80\x9croute-back\xe2\x80\x9d within CCMS workflows          In-Progress\n   10.        Establish an integrated DSS Enterprise Systemwide action team    Complete\n   11.        Develop a high level workflow performance model                  In-Progress\n   12.        Establish a replacement system acquisition strategy              In-Progress\n   13.        Investigate upgrading the database management system             In-Progress\n   14.        Use contractor facilities for year 2000 testing                  Complete\n   15.        Evaluate the utility of manually archiving data                  In-Progress\n   16.        Analyze and optimize CCMS/Files Automation and Scanning          In-Progress\n              Subsystem configuration to reduce instability\n   17.        Evaluate rebalancing workload on Digital Equipment Corporation   In-Progress\n              8400 computers and Oracle databases\n   18.        Evaluate other methods to reduce CCMS/Files Automation and       Contingent1\n              Scanning Subsystem instability\n   19.        Develop a more robust CCMS/Files Automation and Scanning         In-Progress\n              Subsystem interface\n   20.        Reduce number of overhead functions associated with each         In-Progress\n              workflow task\n\n\n\n   1\n       Implementation depends on results of another TRW recommendation.\n\n\n\n\n                                                   26\n\x0cPriority      TRW Recommendations                                                    Status\n      21.     Correct errors in request-for-adjudication processing                 In-Progress\n      22.     Implement general hardware recommendations                            In-Progress\n      23.     Upgrade microfiche scanning processes to increase reliability         In-Progress\n      24.     Evaluate additional Document Management Export debugging              Contingent1\n              strategies\n      25.     Enhance Document Management Export error recovery                     In-Progress\n      26.     Investigate the effect of more powerful central processing units      Complete\n      27.     Improve the paper-based request for adjudication process              In-Progress\n      28.     Evaluate and expedite fixes for current known data integrity problems In-Progress\n      29.     Implement database configuration changes to optimize performance      In-Progress\n      30.     Analyze performance requirements for system improvements              In-Progress\n      31.     Identify and collect performance metrics                              In-Progress\n      32.     Implement backup and restore capability                               Pending2\n      33.     Investigate electronic dissemination of requests for adjudication     Complete\n      34.     Implement percentage of items awaiting operator action as basis for   In-Progress\n              workflow performance\n      35.     Implement improved manual case entry process                          Complete\n      36.     Perform routine backups of databases, mailboxes, queues, relevant     Pending2\n              directories and files\n      37.     Plan for long-term system maintenance                                 In-Progress\n\n\n\n\n  1\n      Implementation depends on results of another TRW recommendation.\n  2\n      Action will be resourced when funding becomes available.\n\n\n\n\n                                                   27\n\x0cAppendix F. Report Distribution\n\nOffice of the Secretary of Defense\nUnder Secretary of Defense (Comptroller/Chief Financial Officer)\n  Deputy Chief Financial Officer\n  Deputy Comptroller (Program/Budget)\nAssistant Secretary of Defense (Command, Control, Communications, and Intelligence)\n  Deputy Assistant Secretary of Defense (Security and Information Operations)\n  Director, Information Technology Acquisition and Investments\n\nDepartment of the Army\nAuditor General, Department of the Army\n\nDepartment of the Navy\nNaval Inspector General\nAuditor General, Department of the Navy\n\nDepartment of the Air Force\nAssistant Secretary of the Air Force (Financial Management and Comptroller)\nAuditor General, Department of the Air Force\n\nOther Defense Organizations\nDirector, Defense Security Service\n   Inspector General, Defense Security Service\nDirector, Defense Contract Audit Agency\nDirector, Defense Contract Management Agency\nDirector, Defense Logistics Agency\nDirector, National Security Agency\n   Inspector General, National Security Agency\nInspector General, Defense Intelligence Agency\n\nNon-Defense Federal Organization\nOffice of Management and Budget\n\n\n\n\n                                       28\n\x0cCongressional Committees and Subcommittees, Chairman and\n  Ranking Minority Member\nSenate Committee on Appropriations\nSenate Subcommittee on Defense, Committee on Appropriations\nSenate Committee on Armed Services\nSenate Committee on Governmental Affairs\nHouse Committee on Appropriations\nHouse Subcommittee on Defense, Committee on Appropriations\nHouse Committee on Armed Services\nHouse Committee on Government Reform\nHouse Subcommittee on Government Management, Information, and Technology,\n  Committee on Government Reform\nHouse Subcommittee on National Security, Veterans Affairs, and International\n  Relations, Committee on Government Reform\n\n\n\n\n                                     29\n\x0c\x0cAssistant Secretary of Defense (Command, Control,\nCommunications, and Intelligence) Comments\n\n\n\n\n                     31\n\x0cDefense Security Service Comments\n\n\n\n\n                                                                                                 *\n\n\n\n\n*\n    Appropriate corrections were made to the final report. (Table not included in this report)\n\n\n                                                     32\n\x0cAudit Team Members\nThe Acquisition Management Directorate, Office of the Assistant Inspector General\nfor Auditing, DoD, prepared this report.\n\nThomas F. Gimble\nMary Lu Ugone\nCharles M. Santoni\nDavid M. Wyte\nSteven J. Bressi\nDonald Stockton\nRobert R. Johnson\nWalter S. Bohinski\n\x0c'